The cloud security design ensures that a customer’s data is only accessible by authorized entities.Windows Azure providesconfidentiality

via several mechanisms, one of which is Identity and AccessManagement. This Ensures that only properly authenticated entities are allowed access.

Certificates and private keys are uploaded via Service Management API (SMAPI) or the Windows AzurePortal as PKCS12 (PFX) files protected in transit by SSL.

PKCS12 is one of the Public-Key CryptographyStandards (PKCS), published by RSA Laboratories, which defines a file format commonly used to storeX.509 private keys with accompanying public key certificates,

protected with a password-basedsymmetric key. SMAPI removes the password protection (if necessary) and encrypts the entire PKCS12blob using SMAPI’s public key and stores it in a secret store on the fabric controller, along with a shortcertificate nameand the public key as metadata. The configuration data associated with any role withinthe same subscription specifies the certificates that should be made available to the role. When a role isinstantiated on a VM,the

Fabric controller retrieves the appropriate certificate, decrypts the PKCS12blob, and re-encrypts it using the Fabric agent's public transport key. For more information on usingCertificates with Windows Azure, please read theWindows Azure Security Overview Whitepaper.

Objectives

In this lab, you will:



Create a signing certificate and store it in the machine root.



Create self-signed client and servercertificates and store them in the appropriate certificatestores



Create a Windows Azure hosted WCF service that authenticates users based on the certificates



Create a SharePoint Web Part application that reads the client's certificate store for a validcertificate to consume the Windows Azure service.

The Windows Azure SDK (included in Windows Azure Tools for Visual Studio) installs a simulationenvironment on your development machine for testing Azure applications locally before deploying themto the cloud. The simulation environment consists of the development fabric to host web and workerroles, and the development storage which simulates cloud blob, table and queue storage locally.

Development storage uses SQL Server as its underlying storage mechanism, and by default the SDK willattempt to configure it to use SQL Server Express. If you do not have SQL Server Express installed beforeinstalling the SDK, or you wish to simply use an existing SQL Server instance to host the developmentstorage database, you must run thedsinit

command to select the SQL Server instancewhere thedatabase will be created.

Using dsinit to Configure Development Storage

1.

Open

a commandprompt.

2.

Edit the following command line as appropriate for your environment, where[AzureSDKInstallDrive]is

the drive where you installed the Azure SDK (or Windows AzureTools for Visual Studio), and [YourSqlInstance] is the SqlServer where you want to create thedevelopment storage database.

argument,which specifies that the local default SQL instance will be used for development storage.

Estimated time to complete this lab:60

minutes.

Exercise 1:Creating and Managing theCertificates

Task 1–

Creating the Certificates

A

self-signed

certificate is an identity certificate that is signed by its own creator. That is, the person thatcreated the certificate also signed off on its legitimacy. In this exercise, you will create 3 certificates-

The signing certificate, the client certificate and the server certificate.

1.

Log intoyour

Windows Azure Portal at http://windows.azure.com

2.

ClickNew Hosted Service

Figure 1

Windows Azure Ribbon menu

3.

Create a new hosted service as follows:

Note:

Use a unique name and URL prefix for your service, and ensure that theDo not deploy

isselected as the deployment option. By selecting this option, you are just blocking the nameand the URL of your service. This URL is needed to create the service certificate

Figure 2

Create a New Hosted Service

4.

ClickOK.

5.

Wait for a few minutes till the new hosted service is created and ready.

Since the signing certificate is self-signed, it must be installed in Root of the Azure HostedService. The configuration options do not support this (as a security measure) so this must bedone using a Startup task. Also required in the Startup task is the unlocking of the SSLconfiguration section of Web.config. This step specifies a Startup task with elevated privilegesrunning Startup.cmd

14.

After the changes, the Startup.cmd will look as follows:

Figure 24

Startup.cmd file

15.

Open the Servicedefinition.csdef file, and add the following XML element to the TODO: 5.8.1section.

XML

<Startup>

<Task

commandLine="Startup.cmd"

executionContext="elevated"

taskType="simple">

</Task>

</Startup>

16.

Save, Publish and Deploy (Production Deployment) the solution to the hosted service thatyou created earlier in Exercise 1 (Ex: AzureHolUsingCerts.CloudApp.net)

17.

The hosted service should now look asfollows:

Figure 25

Hosted Service

Task 2–

Testing the Service

1.

On the development machine, open a new instance of the internet explorer browser andnavigate to your service URL. Note: You musthttps

(Ex:https://azureholusingcerts.cloudapp.net/salaryservice.svc)

2.

Since your development machine has the client certificate installed in the Personal certificatestore, the browser would prompt you to confirm the certificate

(Note: Since self-signed certificate is used, you see this Window Security message.

When acertificate issues by an authority is used, you will not see this message)

Figure 26

Windows Security Pop-up

3.

Select the Client Certificate and click OK.

4.

You should be able to see the service details

Figure 27

Service details

5.

Now, try to access the same service from adifferent

machine, where the certificate is notinstalled. You will notice that the browser shows a server error, and the access to the serviceis denied

Figure 28

Acces is denied error

To enable access to this service from the machines that does not have access to service,distribute the client certificate and install it on the end-user machine. All end-user machinesrequiring access to the service should have the client certificate installed in their personal

certificate store.

6.

To test theAdjustSalary

method from the machine that has the client certificate, open thebrowser window and navigate to:

Enter a Starting Salary and Inflation and click the Get Adjusted Salary button. You will see aWindows security alert asking you toconfirm the client certificate. Click the client certificateand click OK.

Figure 33

Windows Security Alert

This Windows Security dialog is displayed

when using self-signed certificate. However using acertificate signed by a certificate authority will eliminate this problem; in the meantime, you canignore the error.

For more details refer to:http://msdn.microsoft.com/en-us/library/ff795779.aspx

8.

The result of the calculation (inflation adjusted salary) is now displayed.

Task 2–

Displaying

the Web Part

1.

The html code snippet can be inserted into a SharePoint HTML Web Part (As explained inJQuery Labs-

Labs 5 and 6). However, you will run into anaccess denied

error message. This isdue to the use of aself-signed certificate. The self-signed certificate that was used in the lab isused for authentication in thedevelopment environment only. However using a certificatesigned by a certificate authority will eliminate this problem.

For more details refer to:http://msdn.microsoft.com/en-us/library/ff795779.aspx

Summary

The cloud security design ensures that a customer’s data is only accessible by authorized entities.Windows Azure provides confidentiality via several mechanisms one of which is Identity and AccessManagement using private key and certificates.

In this lab, you learned to create a signing certificate and store it in the machine root. You also created aself-signed client and server certificates and stored them in the appropriate certificate stores. You alsolearned how to create SharePoint Web Parts to consume a Windows hosted WCF service over https.